security.yml

name: Security Scan

on:
  push:
    branches: [ main, master ]
  pull_request:
    branches: [ main, master ]
  schedule:
    - cron: '0 2 * * 1'

jobs:
  codeql:
    name: CodeQL Analysis
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
      
    strategy:
      fail-fast: false
      matrix:
        language: [ 'python', 'javascript', 'typescript' ]
        
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}
        
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
      with:
        category: "/language:${{ matrix.language }}"

  dependency-review:
    name: Dependency Review
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      
    - name: Dependency Review
      uses: actions/dependency-review-action@v3
      with:
        fail-on-severity: high
        allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC

  cargo-audit:
    name: Cargo Security Audit
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      
    - name: Install Rust toolchain
      uses: actions-rs/toolchain@v1
      with:
        toolchain: stable
        override: true
        
    - name: Install cargo-audit
      run: cargo install cargo-audit
      
    - name: Run cargo audit on smart contract
      run: cargo audit
      working-directory: smartcontract
      continue-on-error: true
      
    - name: Run cargo audit on relayer
      run: cargo audit
      working-directory: relayer
      continue-on-error: true

  npm-audit:
    name: NPM Security Audit
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      
    - name: Set up Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18'
        
    - name: Run npm audit
      run: npm audit --audit-level=high
      working-directory: frontend
      continue-on-error: true

  python-safety:
    name: Python Safety Check
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: '3.11'
        
    - name: Install safety
      run: pip install safety
      
    - name: Run safety check
      run: safety check -r backend/requirements.txt
      continue-on-error: true

  secrets-scan:
    name: Secret Scanning
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      
    - name: TruffleHog OSS
      uses: trufflesecurity/trufflehog@main
      with:
        path: ./
        base: ${{ github.event.repository.default_branch }}
        extra_args: --only-verified

  security-summary:
    name: Security Summary
    runs-on: ubuntu-latest
    needs: [codeql, dependency-review, cargo-audit, npm-audit, python-safety]
    if: always()
    
    steps:
    - name: Create security summary
      run: |
        echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "| Scan | Status |" >> $GITHUB_STEP_SUMMARY
        echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
        echo "| CodeQL | ✅ Completed |" >> $GITHUB_STEP_SUMMARY
        echo "| Dependency Review | ✅ Completed |" >> $GITHUB_STEP_SUMMARY
        echo "| Cargo Audit | ✅ Completed |" >> $GITHUB_STEP_SUMMARY
        echo "| NPM Audit | ✅ Completed |" >> $GITHUB_STEP_SUMMARY
        echo "| Python Safety | ✅ Completed |" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "Review the individual job results for details on any findings." >> $GITHUB_STEP_SUMMARY